By now, you are probably hearing about the General Data Protection Regulation in relation to lead generation, web processes, design, direct marketing – the list goes on. Non-compliance is not an option, but as an SME, you can’t help feeling that an entire industry of consultants and audit experts are raking it in, trading on scare tactics and high-end legal services.
Acting now would be a good step in ensuring you do not have to throw yourselves at the mercy of such organisations. But for a small business, just getting hold of a decent GDPR checklist is tricky. Fortunately, you can go to the source and get a great plain speaking paper. The UK based Information Commisioner’s Office (ICO) is the place to start. This organisation is:
The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
And you can download a straight-forward GDPR checklist and advice sheet PDF here
To introduce GDPR to your teams, it can be helpful to get them thinking about what data protection and privacy really means. Establishing this thinking from the outset will add context to the upcoming tasks, and get everyone on board. Some areas you can cover are:
- Document the personal data your company has, challenge yourselves why you have it, and ask where it came from. Look carefully about who you share it with, and if it’s still relevant and necessary for your current marketing/ CRM initiatives.
- Can you effectively process and service citizens’ data requests? GDPR allows EU citizens to request that personal data is deleted, amended, or moved to a different organisation. It’s your responsibility to make it possible for someone to complete these requests within one month – and ideally it should be there and then at the time of asking. And from a resource point of view, making such facilities available could save you a lot of time further down the line.
- Opt-out boxes aren’t good enough anymore. GDPR requires you to establish a lawful basis for collecting data on the individual. You will also need to ensure an option is given for the data to be processed for a limited period of time, and for a specific purpose. Make the option to withdraw consent readily available too.
- What are your responsibilities if there is a data breach? Draw up contingency plans to notify the data protection authority of any data breach within 72 hours of becoming aware of it.
Finally, have a single point of contact by appointing a Data Protection Officer. It may sound like overkill for an average SME, but it shows you take GDPR seriously, and your own compliance tasks on the GDPR checklist can be scrutinized and challenged internally before any issues arise.
Hopefully this article has helped you breathe a little easier at the thought of GDPR. Although we do not profess to be experts in the field, at Goldladder we are looking closely at digital marketing services in relation to GDPR, so we are always happy to talk if you have any questions along these lines.